Search form

Search form

What You Need to Know About the Petya Ransomware Attack

Tuesday, June 27, 2017 - 20:02

Computing Services and Systems Development (CSSD) is aware of a new malicious software program named "Petya" that made news yesterday for infecting corporate systems in the U.S. and Europe. "Petya" is a type of ransomware that relies on unsuspecting users to click links or open an infected email attachment to download it. Once it has been opened, it encrypts files on the affected computer and network share drives, and the user is then required to pay a ransom to recover their files. One reason this malicious software has spread so aggressively is that it then attempts to infect other computers on the network that do not have the latest security updates and are not protected against "Petya".

CSSD strongly recommends that you do not reply to unsolicited emails or emails from unverifiable sources. Avoid clicking on or downloading unknown email attachments, as these may lead to sites that contain harmful software. If a link looks suspicious, you can hover over the link with your mouse to preview the URL without clicking on it.

In addition, CSSD urges you to take these steps immediately to protect yourself:

Be sure your system is running a recent version of Symantec Endpoint Protection with LiveUpdate enabled.

Be sure your system is running a recent version of Malwarebytes Premium with up-to-date definitions.

With Petya, Symantec Endpoint Protection and Malwarebytes Premium are critical as an infected system will keep attempting to infect machines on the local network even if the Windows vulnerability is patched. Students, faculty, and staff can download Malwarebytes and Symantec Endpoint Protection at no cost through the Software Download Service at My Pitt. Departments can submit a help request to obtain Malwarebytes for multiple machines.

Petya is ransomware that relies on the same Windows vulnerability that was central to the last month’s “WannaCry” attacks. It will encrypt the Master File Table for NTFS partitions and overwrite the Master Boot Record with a custom bootloader. The software will then demand a ransom payment. According to reporting by security researchers, Petya leverages the EternalBlue exploit that was made public in April and used by WannaCry to spread between systems on a network. EternalBlue utilizes a known Server Message Block (SMB) 1.0 vulnerability affecting most versions of Windows.